welcome towww.bitnuts.de

Using the Hardware RNG on Raspberry Pi

2017/11/05 by Flo

In computers there is actually no true randomness. What we call random numbers often originates in deterministic "fake" random number generators (RNG). Such RNG are algorithms that can be used to create numbers which pretty much look like they are randomly generated, but they are computed and thus not really random. Real randomness comes from thermal noise in analogue components which can be sampled. Such sampled values are then often pre-processed by some sort of scrambling algorithm to create a series of random numbers. Well, the Raspberry Pi has such an analog circuit in its SoC that can help making the random seed that we would call "real" randomness.

On a current Raspbian Stretch you can access the randomness by just calling

sudo cat /dev/hwrng

If you would like to access it with user level access permissions you could do

sudo chmod a+r /dev/hwrng

To make the change permanent, make the following change (as root) in the /etc/rc.local:

chmod a+r /dev/hwrng

If you would like to generate a 1 megabyte file with random numbers (bytes), use the following command:

dd if=/dev/hwrng of=hwrng-test-data.bin bs=1024 count=1024

In OpenSSL you can use the random source like this:

openssl genrsa -rand /dev/hwrng 2048

OpenSSL's internal PRNG uses a 1024 byte pool mixing entropy with a SHA-based function, so the more bytes mixed in, the better. It cannot hurt to add entropy into the pool and this should not decrease overall security (and randomness) for the crypto keys at all.

Bypassing script filtering in firewall appliance solutions

2017/08/03 by Flo

In professional environments appliance web proxy firewalls are state of the art to protect PCs from malicious content. Depending on the level of mitigation, some of these appliance solutions divert-filter all active content like flash and scripting code out of the HTML content transferred.

While reading a course on SVG I stumbled upon the scripting support of SVG, and then an idea came to my mind: Well, if SVG is interpreted as HTML code in modern browsers, and SVG also supports active content using JavaScript, why not use it to bypass script filtering. As you might already assume: it seems that some vendors lack filtering out scripts in SVG, so it it could be possible to inject evil code into protected systems by just using SVG and forcing a target to open such an image, e.g. though a watering-hole attack. Some of these appliance solutions perfectly filter out scripting code from HTML, but fail to do so with SVG.

I do not want to publish a list of vulnerable manufacturers, you can try it yourself. I have created a JavaScript SVG PoC, so you can try to open from your protected environment and can instantly see if active code is still getting executed - even if e.g. JavaScript usually gets filtered out by your firewall appliance. The PoC shows a smiley, if you click onto the image, the embedded JavaScript shows a message box.

If you have any questions, please do not hesitate and contact me.

File-Schizophren in ZIP/HTA

2017/06/28 by Flo

There was a presentation by Ange Albertini and Gynvael Coldwind back in 2014 discussing
schizophrenic files. What is meant by a Schizophrenic file? Well, in short: You have one file and this file can be opened and processed by at least two tools correctly. I stumpled upon a zip-compressed file which contains a .hta file. This file can be successfully opened by any ZIP tool but also successfully opens with mshta.exe. The example file I was analyzing was yet another malware dropper as you can see in the following screenshot:

Phishing-Mails targeting Amazon Seller Central

2017/06/12 by Flo

There is an Amazon Seller Central phisihing mail scam/spam campaign ongoing. The cyber crooks send complaint e-mails containing an attachment which imitates Amazon's German Seller Central page. Do not open such attachment and please do not enter your username and password into the scam-page which pops up, if you have opened the attachment. It is a phishing page hunting for your Amazon credentials!

cmd.exe shell code obfuscation using ^-characters

2017/06/11 by Flo

A while ago, I stumbled over some Word- and Excel-files containing malicious macros, which forced to download and execute ransomware via the cmd.exe shell. Well, nothing really new, the fact that made me curious was that the cyber crooks utilized the command shell in a tricky way:

Instead of executing the commands in plain text, they used the ^-symbol to obfuscate their call to the powershell interpreter. If you remove the ^-symbol you quickly identify a well known HTTP downloading technique often used by cyber criminals and seen in many malicious campaigns.

Deutsche Telekom's Malware Warning Service

2017/05/28 by Flo

Well, as you might know, I do not just love to hack and implement kernel drivers, I also love to analyze malware samples. I have set up a dedicated analyzing machine where I can install and track down a specific malware sample file. I make heavily use of my drivers to log what such a malware sample does, but also have some special drivers for the networking stuff. It is great fun to see what a specific malware family is downloading and doing on an infected machine. I never expected that my online provider gives a damn on what I am doing until I have received a security warning notice:

Well, it is somehow a great service to warn customers and also to help keeping the network stay clean from malware, especially from infected client machines which distribute spam and malware across the own and other's networks. But on the other hand I also feel a bit monitored. To run such a service you need to log all requests and compare them against a _list_. If this list just contains well known malware domains this is okay, but it could easily be changed into a list containing domains of political parties, critical news papers that someone thinks of should be flagged red. But who is or will be the authority to manage this now and in the future?! Well, this could be a delicate matter. Right now I do not feel bad about it, but this could change very quickly if there is a new legal code telling network providers to flag this and that. The technology is right in place and working.

I am not a conspiracy theorist or paranoid, but this is something we should keep in mind. As an IT security guy I am happy to see that companies work against cyber crooks, and also to help to mitigate against malware campaings, but it is also worth to discuss the controvery stuff 😀. Amen.

Recently, I have seen more and more professional designed fake invoice e-mails coming in the name of well known (big) German companies, namely DHL (German Post Service) and Deutsche Telekom (German Telecommunication Provider). Both companies send e-mails to their customers which fairly look similar to the fake e-mails I have observed. I assume that the criminals behind this mails just used the "official e-mails" as a blue-print for their own campaigns.

Well, somehow this progression is obvious: In the past, such spam e-mails could have been detected easily because of their bad design, bad spelling and grammar. But by using the official e-mails as an blue-print, such e-mails look original and if one expects a message from such a company it is even more likely that users click on the links referenced in such mails. In addition more and more of spam e-mails are personalized, meaning that such an e-mail also preludes with a proper greeting. In some cases the correct address and phone number is also referenced. For an unsuspecting user there is no reason for distrust.

The thing that should make ringing the alert bells in your head is, that the attachments or linked documents are still suspicious and odd. In most cases it is yet another invoice.pdf.js, or invoice.pdf.exe, or a link to a scripting (js, vbs) file, see the screenshots:

I have also come across some samples where the faked messages contained a Word (.doc, .docx) or Excel (.xls, .xlsx) file, containing a malicious macro. How can one differentiate from an original e-mail now? Well, to be honest this can be a difficult task - even for experienced users - as the criminals elevate. You need to dig deeper. Check the attachments in a more conscientious way, e.g. do you really expect an invoice or message from the provider? Does your provider really send attachments or does the provider link to external resources (like DOCs, PDFs.)? Conscientiously check such links: For example hover a link and look where the reference is. In the examples from above I have highlighted such links. For example if a link goes to a strange external domain you should be highly alerted.

What else can you do? Well, I often recommend to directly visit the home page of the service/provider and check the status or invoice there. In most cases companies have customer areas and ticket systems where you can directly check the status. You often do not need and must not use the links or attachment from an e-mail. Just see such e-mails as an trigger information to check manually on the provider’s/company’s home page. Directly navigate to page, and do not use the link from the e-mail, type it by hand, or better use a favorite link if you visit the page frequently.

Some thoughts on CVE-2017-0199 and Application Whitelisting

2017/04/17 by Flo

As you might already know there is an Office Remote Code Execution Vulnerability (CVE-2017-0199) being actively exploited by cyber crooks. If you look at the incident from a more formal perspective there is nothing really new. Well, yet another exploit which leads to code execution. Hackers first exploit, then start some kind of malware-dropper to place and install the final malware executable onto your machine.

This again proofs that any application whitelisting strategy proactively helps to mitigate against attacks. Sure, there are still ways to bypass application whitelisting, but in most cases it dramatically reduces the risk of getting infected by most common malware and exploits we see in the wild. If you deploy application whitelisting you do not have to mess around with all these ordinary malware stuff. You can focus on the more sophisticated attacks, and this is what you should! For example you can use Excubits' drivers like MZWriteScanner, MemProtect, and Pumpernickel to monitor your end-points for suspicious behavior and track down sophisticated exploits and attacks more easily by getting informed about executables dropped onto the machines, access attempts to uncertain folders or by checking command line parameters of started executables. But you do not need to install such expert tools, Sysinternals' free kit of tiny helpers and the powerful Windows Eventlog are also beneficial and great tools to monitor what is going on.

Application whitelisting in combination with consistent monitoring can help a lot to counter threats we see. You can make use of dedicated tools but you can also just use Applocker, GPOs and the Eventlog. Well, the most important thing here is not what to use or to start a battle on who or what solution is better. Just get up and start doing it.

As noted above, not just the ordinary malware droppers coming in fake pdf.exe or as JS or VBS scripting files, also the more sophisticated ones. I am seeing a lot of malware campaigns featuring malware executables that are changed really quickly; the result is that most anti-virus solutions fail to detect them and that is a big problem. On Virus Total and other static Malware Analysis Frameworks I often see recognition rates of around 4/56. Relying on just an anti-virus, even if the AV supports cloud based checks, heuristics and deep learning strategies is not enough as of today. Having application whitelisting in place, plus doing comprehensive logging brings significant value. If you fine-tune it with additional blacklisting, parent and command line scanning rules, you are well prepared; and by the way you have more time to focus on the really bad stuff instead of fighting yet another well-know ordinary attack again.

Magical increasement of disk space after update

2017/04/16 by Flo

This one is just for the collection of curiosities. After patching my system I often start Windows' build in cleanup service to free some space service packs, patches and updates require for roll-back and statistics. Well, the latest patch day was great, Windows was able to upgrade the amount of capacity my hard disk drive has. Have a look:

Your dishwasher does not work?! Try to reset it.

2017/03/12 by Flo

In the last couple of months my dishwasher often started to hang while performing a dish washing program. It seemed that the washing program stopped the machine at some point before cleaning was properly finished. Just stopping and restarting the program often was the solution. Once before a weekend the machine finally got stuck in a pumping loop and did not start any dish washing program. At the first moment I was like “hey it seems to be time for a new machine”, but then I remembered that the service technicians that tried to find a hardware failure some weeks before, started pressing some weird combinations of buttons, and then the dishwasher started to work again. So I started googling for technical information for my dishwasher's model and finally found some interesting information: that dishwasher model is well known. The company seems to struggle with some sort of (software) bug that lead the dishwashers to stop the program or getting stuck while in a pumping-loop where the machine is not able to escape from - even if you power down the machine. A solution is to run the self-testing program and if everything is okay, the machine will reset the board, which then results in turning the machine into factory settings.

So why not try this, before buying a new one?! I pressed the magic button combination and voila the machine started to run the self-test program which it passed. The internal board was set to factory settings, and the machine was running like nothing happened before.

What have we learned from this? Well, a dishwasher is also just a computer and like all computers they also have software bugs. So if if it does not work and a technician cannot find any technical issues - like it was with my dishwasher - you should also take into consideration that this creepy thing has just a software problem. Just try to reset it, maybe this is all what was wrong. I guess that other home appliances also often might just have a software problem and not a hardware issue. Please note: For security reasons you must ensure that there is really no electric/technical issue. If you are sure it is not, try to find a way on how to reset the machine, this might help like it did in my case. 🔧👾

USB Port Blocker Lock

2017/02/22 by Flo

I just stumbled upon this: An USB port blocker lock. Well, it will not protect against sophisticated attacks but can help on business trips, PCs exposed to visitors etc. to reduce the risk that someone manages to quickly plug in an evil USB device.

How Backups can become a security risk

2017/01/26 by F. Rienhardt

We all know that we should make backups to be prepared in case of cyber attacks, mistakes or hardware failures destroying our valued digital gems. So why I am talking about this here? Well, since yesterday I detected a massive amount of scans for backup files across some of our web servers and web sites from related security researchers I am are connected with. It seems that someone is scanning for backup files on web servers, I encountered HTTP GET requests for the following filenames:

If you have any backups on your web servers using one of the names from above it might be too late and someone has already crossed your server and peeked for such files. You should check your access logs for more information.

What can I do?

Doing backups is great, so first at all congratulations for creating a backup. But well, do not store any backup directly into the root directory of your web site, they should not be accessible via a HTTP GET. It is recommended to store backups onto a so called cold-backup site, meaning a system which is not connected to a network and only used for backups. If this is not possible, you shall at least protect such backups in an encrypted container using a strong pass phrase (25-30 characters with very good entropy). If a backup was created just for temporary reasons, delete such backups if you have finished your work and the backup is no longer needed.

Next steps

I expect more such attacks in the future, so keep an eye onto your access logs, check the file system of your web site and ensure that temporary or backups files are not accessible from the internet. Ask yourself what information is critical and could directly be accesses through the internet: Assume this information being at high risk and think about countermeasures.

I will have an eye on it and follow up to this post. Please share and make others aware of the problem.

This article first was posted on Excubits, but was moved to my private blog, because I felt it was a bit off-topic there.